Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3 > Chapter 9 HP-UX Role-Based Access Control

Troubleshooting HP-UX RBAC

» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

The following is a list of the primary mechanisms used to troubleshoot and debug HP-UX RBAC:

  • The rbacdbchk utility verifies HP-UX RBAC database syntax.

  • The privrun -v command reports additional and relevant information.

The rbacdbchk Database Syntax Tool

The most common bugs are caused by manual editing of the HP-UX RBAC databases, resulting in syntactically invalid configurations or in configurations that are inconsistent between databases (for example, a role in /etc/rbac/user_role that is not defined in /etc/rbac/roles). To assist in diagnosing these common mistakes, HP-UX RBAC includes an rbacdbchk command. This command reads through the HP-UX RBAC databases and prints warnings where incorrect or inconsistent configuration entries are found:

# rbacdbchk [/etc/rbac/user_role] chandrika: UserOperator invalid user The value 'chandrika' for the Username field is bad. [/etc/rbac/cmd_priv] /opt/cmd:dflt:(newop,*):0/0//:dflt:dflt:dflt: invalid command: Not found in the system The value '/opt/cmd' for the Command field is bad. [Role in role_auth DB with no assigned user in user_role DB] Rebooter:(hpux.admin.*, *) [Invalid Role in user_role DB. Role 'UserOperator' assigned to user 'chandrika' does not exist in the roles DB]

On a correctly configured system, the rbacdbchk command produces no output, indicating no errors are present.

privrun -v Information

The second method for detecting problems is to run the privrun command with the -v option (verbose mode). In verbose mode, privrun provides additional information about the entries that the input command matched and the status of the authorization checking, as well as other relevant data. In many cases, this output clarifies the issue causing privrun to fail. Specify the -v option multiple times for additional levels of verbose output. The following is an example of the privrun -v output with the ipfstat command:

# privrun -v /sbin/ipfstat privrun: user root intends to execute command /sbin/ipfstat privrun: input entry: '/sbin/ipfstat:dflt:(,):///:dflt:dflt::' privrun: found matching entry: '/sbin/ipfstat:dflt:(hpux.network.filter.readstat,*):0/0//:dflt:dflt::' privrun: passed authorization check privrun: attempting to set ruid/euid/rgid/egid to 0/0/-1/-1 privrun: current settings for ruid/euid/rgid/egid are 0/0/3/3 privrun: executing: /sbin/ipfstat
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.